New Android Malware Threatens Users' Personal Data

NEWS ANALYSIS: Innovative new malware design makes it possible to take data from Android smartphones and tablets without actually infecting the device.

Google's
Android mobile operating system continues to attract a growing number of
malware threats as creators discover the ease of working with an open software
environment. The result, as eWEEK noted, is a huge jump in malware over
the last year.
Some of these threats can be innovative in their efforts to extract financial
data from unsuspecting users.
One
such threat, discovered by malware researchers at McAfee, found a new remotely
controlled man-in-the-middle attack that can steal the initial password from a
mobile device without actually infecting the user's
device.

The malware uses its
man-in-the-middle activity to pose as a token generator for a bank, using the bank's
logo, according to McAfee researcher Carlos Castillo. The fake token-generator
is really intended to look like the user's bank log-in screen, and it asks for
the initial password. When it receives this, it runs XML code that captures
additional access information, as well as the user's contact list. The initial
contact that leads to a man-in-the-middle attack is usually a Short Messaging
Service (SMS) text sent to the user's phone that appears to be from the bank.

Once
the XML commands are run, the malware creates a system event that executes at
a future time and then listens for commands from control servers that cause the
device to send the required information, and to add updates that allow the
malware to update itself and to initiate spyware. This, in turn, allows the
control server to gather additional credentials that will allow the server
operator to gain access to the user's bank accounts.
This
threat is basically a phishing attack so the user can be tricked into believing
that it is a legitimate application from a real bank, Castillo wrote in an
email interview.
However,
Castillo notes that only Android users who have selected the option in the
Android settings that allows installing apps from unknown sources are
vulnerable to this attack. He said that legitimate banking applications would
be available from the Android Market, now renamed Google Play. He said that
Google checks the apps there for malware, and gets rid of them using Google Bouncer.
The
user should avoid the installation of applications from non-trusted
sources/markets, said Castillo. He also recommended installing an anti-malware
package on any Android device.
Currently,
McAfee lists the new Android
malware,
now known as Android/FakeToken.A, as a low-risk threat, primarily because it
requires user intervention in Android's existing security settings in order to
work. In addition, this malware puts an icon on the menu page of an Android
device and requires that the user invoke the app. However, the fact that this
sort of remote-control malware is able to gather information from an Android
device is in itself significant. While most enterprises aren't doing their
banking on an Android phone, the fact is that the same approach could very
easily be used to a different end, such as corporate espionage or to facilitate
an attack on a corporate partner.

Wayne Rash is a Senior Analyst for eWEEK Labs and runs the magazine's Washington Bureau. Prior to joining eWEEK as a Senior Writer on wireless technology, he was a Senior Contributing Editor and previously a Senior Analyst in the InfoWorld Test Center. He was also a reviewer for Federal Computer Week and Information Security Magazine. Previously, he ran the reviews and events departments at CMP's InternetWeek.

He is a retired naval officer, a former principal at American Management Systems and a long-time columnist for Byte Magazine. He is a regular contributor to Plane & Pilot Magazine and The Washington Post.